HackAttack: eBay Breach – Change Your Password!

27 May 2014 by Jenn Granger

eBay’s having a bit of a tough one at the moment, following a breach that took place earlier this year. The way they handled it has also been criticised, and considering about 145 million customers were affected, it’s serious business. Current advice is to change passwords, and also look at how to keep those passwords as strong as possible.

What’s the deal?

Word of the breach is out, as the online marketplace has issued an official statement confirming that an attack happened in Feb/March. It compromised a database containing encrypted passwords and other non-financial data; but eBay have said that they don’t have any evidence that data from the hack has actually been used maliciously, or that the bad guys were able to get at their financial information (which they store separately to the passwords, and also encrypt).

They’re still suggesting changing passwords as a precaution though; and it’s important to note that the official password reset email contains no links and you should always be wary of ones that do (as with Microsoft’s recent scam).

The problem is that the information has been exposed for some time – it took eBay weeks to realise there was a breach, and another few to let anyone know – and it’s not just passwords that have been taken. Names, addresses, email addresses, phone numbers and D.O.Bs were also stolen, which could be used for identity theft.

What’s happening now?

Needless to say, peeps aren’t happy, and the UK’s information commissioner is working with European data authorities to build a case against eBay accountable for the breach. Three US states are also investigating the theft of names, email addresses and other personal data.

The company is also in the naughty corner for failing to encrypt all its information, and for its slow reaction when informing customers about the theft of their data. eBay says it wanted to find out exactly what had happened before they went public.

What can we do to stay safe?

If you’re an eBay customer you should get an email telling you to reset your password pronto; but some people are saying they’re having problems changing them. eBay insist there aren’t any technical problems with resetting passwords on the site though.

Two-factor authentication

Adding to its list of sins, the company is also in trouble for not using two-factor authentication for employees, after it admitted that attackers got in to the user database by using employee login details. Research by SafeNet suggests that less than 15% of companies have multi-factor authentication for all their employees, which – as this proves – needs to change.

And finally…

Trey Ford, global security strategist at Rapid7 said: “If eBay chooses to force all users to go through a password reset, the stolen passwords would be useless at eBay, but people would still need to change them on any other site for which they were used.” So, if you change your eBay password, make sure you do the same for any other accounts using it too!

We’ve got a few more tips on keeping your password safe; and if you have any queries about the safety of your solution at UKFast give us a call on 0208 045 4945 or contact your account manager.